SCADA Systems in Railways Vulnerable to Attack

By Fahmida Y. Rashid |
Posted 2012-01-25

Government
officials initially believed railway signal disruptions in December were tied
to a cyber-attack against a Northwest rail company in December, Nextgov reported.
But government and railway officials later denied that a U.S. railroad had
actually been hit by a cyber-attack.

"There
was no targeted computer-based attack on a railroad," said Holly Arthur, a
spokeswoman for the Association of American Railroads.

While
an attack has been ruled out, the incident highlights the dangers of industrial
control systems controlling critical infrastructure.

Train
service on the unnamed railway was "slowed for a short while" and
schedules delayed for 15 minutes on Dec. 1, according to a Transportation
Security Administration memo obtained by Nextgov. A "second event"
occurred just before rush hour the next day, but it did not affect schedules,
according to the Dec. 20 memo, which summarized the agency's outreach efforts
to share threat intelligence with the transportation sector.

"Amtrak
and the freight rails needed to have context regarding their information
technical centers," the memo said, adding that rail operators were not
focused on cyber-threats.

TSA
investigators discovered two IP addresses for the intruders associated with the
Dec. 1 incident and another for Dec. 2. Investigators considered the
possibility of the attackers being based overseas, but did not specify the
suspected country, Nextgov reported. Alerts listing the three IP addresses were
sent to several hundred railroad firms and public transportation agencies.

Officials
at the Department of Homeland Security, which oversees the TSA, told Nextgov on
Jan. 23 that further investigation showed it may not have been a targeted
attack, but did not explain what may have caused the "anomalous
activity."

The
railway incident is similar to what happened at an Illinois utility last fall.
A government fusion center claimed Russian attackers had remotely destroyed
the facility's water pump, but the DHS on further investigation claimed it
was not an attack. It later turned out the intrusion had been an American
contractor remotely logging in to perform some maintenance tasks.

However,
the TSA's railway memo highlights how vulnerable the railways are to an attack
on supervisory control and data acquisition (SCADA) systems, according to
experts from Casaba Security, a security analysis and consulting company. Just
about anything in the railway infrastructure could be controlled by SCADA
systems, including track switches, signal and crossing lights, transformers,
weather and track sensors, engine monitors, railway car sensors, electronic
signs and even turnstiles, said Samuel Bucholtz, Casaba's co-founder. Most of
these systems are connected to the network so that they can obtain data
collected by the sensors.

"A
sensor that can detect the position of a track switch is not helpful unless it
can pass that data to an operations center hundreds of miles away,"
Bucholtz said.

Connecting
SCADA systems to the Internet puts the infrastructure at risk because it opens
up the possibility of intruders finding a way into the network. However, many organizations
take that risk to save money, simplify the infrastructure and ease maintenance.
It is usually cheaper to transmit data over the Internet instead of investing
in dedicated lines or wireless frequency space, according to Bucholtz.

"The
benefit of SCADA being 'online' is that the Internet is cheap, robust,
standardized and easily accessible," Bucholtz said.

The
downside is that without proper protections, the infrastructure is wide open to
anyone looking. Cambridge University researcher Eireann Leverett developed a
tool that mapped more than 10,000 industrial control systems accessible from
the Internet, including water and sewage plants. While some of the systems
could have been demo systems or used in places that wouldn't count as critical
infrastructure, such as the heating system in office buildings, some were
active systems in water facilities in Ireland and sewage facilities in
California.

Only
17 percent of the systems mapped asked for authorization to connect, suggesting
that administrators either weren't aware the systems were online or had not
installed secure gateways, Leverett said. Leverett, a computer science doctoral
student at Cambridge, presented the findings at the S4
conference in Miami.

Administrators
need to set up secure and isolated networks and use Secure Sockets Layer or a virtual
private network to restrict who can talk to the controllers, according to John
Michener, chief scientist at Casaba. Since SCADA systems will likely be
Internet-accessible, administrators should focus on putting them behind a
secure gateway. "Increasingly all the communications are over the Net, so
being on the Net is all but inescapable," Michener said.